TY - GEN
T1 - A Power Side-Channel Attack on the CCA2-Secure HQC KEM
AU - Schamberger, Thomas
AU - Renner, Julian
AU - Sigl, Georg
AU - Wachter-Zeh, Antonia
N1 - Publisher Copyright:
© 2021, Springer Nature Switzerland AG.
PY - 2021
Y1 - 2021
N2 - The Hamming Quasi-Cyclic (HQC) proposal is a promising candidate in the second round of the NIST Post-Quantum Cryptography Standardization project. It features small public key sizes, precise estimation of its decryption failure rates and contrary to most of the code-based systems, its security does not rely on hiding the structure of an error-correcting code. In this paper, we propose the first power side-channel attack on the Key Encapsulation Mechanism (KEM) version of HQC. Our attack utilizes a power side-channel to build an oracle that outputs whether the BCH decoder in HQC’s decryption algorithm corrects an error for a chosen ciphertext. Based on the decoding algorithm applied in HQC, it is shown how to design queries such that the output of the oracle allows to retrieve a large part of the secret key. The remaining part of the key can then be determined by an algorithm based on linear algebra. It is shown in experiments that less than 10000 measurements are sufficient to successfully mount the attack on the HQC reference implementation running on an ARM Cortex-M4 microcontroller.
AB - The Hamming Quasi-Cyclic (HQC) proposal is a promising candidate in the second round of the NIST Post-Quantum Cryptography Standardization project. It features small public key sizes, precise estimation of its decryption failure rates and contrary to most of the code-based systems, its security does not rely on hiding the structure of an error-correcting code. In this paper, we propose the first power side-channel attack on the Key Encapsulation Mechanism (KEM) version of HQC. Our attack utilizes a power side-channel to build an oracle that outputs whether the BCH decoder in HQC’s decryption algorithm corrects an error for a chosen ciphertext. Based on the decoding algorithm applied in HQC, it is shown how to design queries such that the output of the oracle allows to retrieve a large part of the secret key. The remaining part of the key can then be determined by an algorithm based on linear algebra. It is shown in experiments that less than 10000 measurements are sufficient to successfully mount the attack on the HQC reference implementation running on an ARM Cortex-M4 microcontroller.
KW - Error correction
KW - HQC
KW - Post-Quantum Cryptography
KW - Power analysis
KW - Side-channel analysis
UR - http://www.scopus.com/inward/record.url?scp=85101825038&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-68487-7_8
DO - 10.1007/978-3-030-68487-7_8
M3 - Conference contribution
AN - SCOPUS:85101825038
SN - 9783030684860
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 119
EP - 134
BT - Smart Card Research and Advanced Applications - 19th International Conference, CARDIS 2020, Revised Selected Papers
A2 - Liardet, Pierre-Yvan
A2 - Mentens, Nele
PB - Springer Science and Business Media Deutschland GmbH
T2 - 19th International Conference on Smart Card Research and Advanced Applications, CARDIS 2020
Y2 - 18 November 2020 through 19 November 2020
ER -